I’m struggling to find an answer to redirect Mac Auth Hotspot users to a webpage.
WE have an outside Radius Server and a Mikrotik router with Hotspot setup for Mac Auth only. All users have a CPE device with unlimited internet access since their accounts never expire and are authenticated based on the MAC of the CPE. Their internet connection will always be available and active.
How can I redirect these users every month to an webpage, and every 6 months to an Agreement page where they have to Agree to new terms?
Session-Timeout - overrides session-timeout in the default configuration
WISPr-Redirection-URL - URL, which the clients will be redirected to after successfull login
Have the RADIUS server send the Session-Timeout attribute, set to 15778463 (the number of seconds in 6 months). That way the CPE will automatically be logged out after 6 months and will re-authenticate. Alternative set that as the session timeout on the ‘default’ Hotspot user profile, which all RADIUS users that don’t have it specified will inherit.
Also send the WISPr-Redirection-URL attribute to the URL to show users after they successfully authenticate with their MAC address. Alternatively edit your alogin.html to redirect to that URL instead.
-Every MAC has a user account on the Radius side, and that account session is set to expire in 99 years so that way their account is always active.
-We use Radius to easily keep track of the person’s name or address with the account, the CPE they have, and the service they chose, and also to upgrade their service easily.
Since the radius session will never end, can it be overridden on the Hotspot? It doesn’t work for me since they have a CPE (modem) that is always on and I think it checks in after about 1 minute, so the idle never surpasses ~1 minute and never really logs out the user.
Possible option:
I thought about making everybody a Trial user to expire after 1 month and then redirect them to an advertisement or agreement. The only problem is that I can’t easily upgrade somebodies account based on their name or address in the router, and I have to lookup a mac address and probably set a binding for that MAC with a different IP pool for a different service. I think that gets messy and a lot of different items have to be attended to, when a radius server is more automated.
I think there needs to be a better solution with the radius server usage. How can it get done if it were just a PPPoE service? Using mangle, proxy and redirects? Any thoughts?
Unless you have an extremely inflexible RADIUS solution you can send out a Session-Timeout value that has nothing to do with when the account expires in the backend user database.
If your RADIUS solution is that inflexible don’t send a Session-Timeout attribute at all and inherit it from the default user profile set to 6 months as I described.
Trial users are a bad option because you lose accounting. Mangle/proxy/redirect is a bad option because Hotspots use that internally already, fitting something else in there is complicated.
We have Radius Manager which is limited in what it can do but does a decent job.
Since our Radius server is only authenticating a Mac address on a modem that is always on, would the session-timeout work on the User Profile on the hotspot?
The idle time for the Mac Hotspot user never surpasses 1 minute and then it resets, so all the modems and Mac hotspot accounts stay Active. When I test by putting anything in the session timeout, it never hits it, so I don’t understand how it can work for a 6 month Session Timeout.
It should work. Session timeout are a hard limit for that session - it has nothing to do with keepalive or idle timeouts. It literally means “log this user out after this much time, starting from log on”.
When you say the RADIUS server authenticated the MAC address of the CPE, do you mean that the Hotspot is set to do MAC authentication so that the CPE’s MAC address is used on a Hotspot login screen?
When you set a session timeout does the Hotspot count down towards it? What happens when the counter hits 0?
I’ll test it and try a few different things to see about the Session Timeout.
Yes, the Modem (CPE) is the only authenticated device based on the MAC address. Our Radius server is setup with the Mac address as the user account and will never expire. The hotspot is setup for Mac Auth only, BUT the end-user never sees the login page, since it already logs that user in based on the mac address.
Can session timeout still work with that setup since our modems are always on with an unlimited session from Radius and then they auto-login to radius?
Ah, in that case this won’t work. The modem logs in automatically so there’s no redirect screen.
The only things I can think of that would work is to expire the MAC address account and turn it off until they acknowledge new ToS on the login page, which would have to make some sort of API calls to tell RADIUS the account is OK again, or to maybe play around with the advertise feature.
Though I have to ask: if this is all you’re using the Hotspot for, why aren’t you just using something like PPPoE? It’s a MUCH better fit for what you’re going. You’re not using any of the features a Hotspot is good for.
Completely agree with PPPoE over Hotspot. The only reason I turned to hotspot was to potentially setup a login or ToS agreement, but if that won’t work, I may go back to PPPoE.
Also, I didn’t want people to have to know or remember their PPPoE account. Is there an easier way to setup the Redirect to a ToS using PPPoE but without the end-user knowing their account information?
Or maybe use hotspot with an invisible access password, and redesign the login page to Read “I agree” rather than Login?
I think I’m close to a viable solution, but can you comment on the following:
Is there a simple way to setup an Access Code to use the hotspot service (or PPPoE if I went that route), but still have the Hotspot connection come from the modem?
For example, since I enabled a Mac Auth Password, the hotspot login page shows up now, but in order to activate the session you have to you must type in the Mac address of the modem as a username. Maybe I’m missing the function of the Mac Auth Password, but it would be nice to just apply a password and have the user type that in to access the internet:
Example:
Have an agreement, and then have a box that says if you agree to the password, type agree, and hit OK. That would log them in using the Access Code, and also get them to agree to the service.
Hotspot is the most ideal setup for the scenario, but since every user will have a modem that I want to be the form of authentication, I had to set it up this way:
-Hotspot based on MAC, HTTP CHAP/PAP, Cookie
-Apply a Mac Auth Password (not even sure what Mac Auth Pass means). Apply this causes end users to to be prompted to login where they have to type the Mac of their Modem.
-Redesign the Login Page to Show our Service Agreement. Redesign Login area to say, Please type your Modem Mac address (picture for reference) if you agree to the Service Agreement. Then they hit Ok, and they send the Radius server their Mac address to login and to agree to the terms.
-I could advertise to end-users at anytime, since I have cookies setup for 99 years. I just close all Active Connections at which point the Cookie will log their Modem back in, but the session won’t begin until somebody opens a browser on the Modem LAN. Once they go to a webpage, the cookie has logged in the modem, and calls up alogin.html which allows me to redirect the end-user to my own website for advertising.
-Anytime I want the user to accept new Terms, I close all Connections and delete all cookies.
Fewi, what do you think? Too much of a hack, or are there bigger issues caused from this approach? Any advice. Thanks.
Weeks later, we finally updated our Radius Server (Radius Manager), and now they support Custom Radius Attributes per user account.
We now can apply the Session Timeout and a Redirect page in order to force users to a certain webpage for Advertising or our Terms and Conditions which they need to agree to.